-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Maxim Khitrov
Sent: Monday, May 21, 2007 6:14 PM
To: freebsd-questions@freebsd.org
Subject: Re: Sendmail ignores hosts.allow
however, I had a feeling that it was jail-related. But what about the
hosts.allow problem? I can run a firewall, of course, but hosts.allow
seems like a more efficient way of doing the same thing. I've already
got it configured and working with sshd, so I see no reason why
sendmail doesn't want to work the same way.
You said earlier that your sendmail was compiled with tcp wrapper
support. How exactly did you go about doing this and installing it?
In any case, since your not going to be using sendmail much, if your
that paranoid I would suggest you simply disable it and run it out
of inetd. Then use the usual tcpd method (in the man page) to run
inetd.
Ted
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Maxim Khitrov wrote:
Do you know
if there is a reason they chose to do it this way? Accept the
connection, but don't allow the client to do anything with it?
If sendmail just dropped the connection, then the sending MTA would
retry the message, potentially every 15 minutes for up to 5 days.
The way sendmail does it, the sending MTA gets a 5xx permanent
error message straight away, meaning it tries once and then fails.
Of course, that assumes the MTAs involved are doing something like
following the appropriate RFCs, which most of the spambots fail to
do.
Cheers,
Matthew
- --
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.3 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGU9xj8Mjk52CukIwRCCUDAKCO6YUZ8TdFAQe7EVB7UcY7uzPYGwCfZL2u
J6hLJvLN0DQnRJV9Z26Qdto=
=IG3h
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

On 5/22/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
I suspect sendmail is reading /etc/hosts.allow
# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a First match wins basis.
#ALL : ALL : allow
Did you comment out the above line?
Steve
Here's the entire file as it is right now:
# Deny sendmail to all clients (temporary)
sendmail : all : deny
# Allow anything from localhost
all : local ip : allow
# Process SSH deny rules
sshd : /etc/hosts.evil : deny
# Allow everything else
all : all : allow
Once I can get sendmail to block all connection requests, I'll move it
below the second rule. That way, only local processes will be able to
use it. For now, however, that rule is being ignored completely.
- Max
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

On 5/22/07, doug [EMAIL PROTECTED] wrote:
On Tue, 22 May 2007, Maxim Khitrov wrote:
On 5/22/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
I suspect sendmail is reading /etc/hosts.allow
# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a First match wins basis.
#ALL : ALL : allow
Did you comment out the above line?
Steve
Here's the entire file as it is right now:
# Deny sendmail to all clients (temporary)
sendmail : all : deny
# Allow anything from localhost
all : local ip : allow
# Process SSH deny rules
sshd : /etc/hosts.evil : deny
# Allow everything else
all : all : allow
Once I can get sendmail to block all connection requests, I'll move it
below the second rule. That way, only local processes will be able to
use it. For now, however, that rule is being ignored completely.
The default configuration gives you what you want so I assume your goal is to
see if you can make hosts.allow work within a jail. In general there are
performance reasons not to use inetd to control ssh and sendmail. ssh under
inetd causes more key generation. Sendmail has its own controls which give you
the equivalent (or better) than can be done with inetd.
I assume from an earlier post you are trying to make this work inside a jail. If
thats true you must also have in the jail rc.conf
inetd_flags=-wW -a your-ip-address
I assume you have this or you would not have been able to control ssh. All that
said, I have only used inetd to control ftp/imap/pop3. It seems to me your
specific question is: does this work inside a jail and is any special setup
required to make it work with sendmail. Sorry I can not help more.
Doug
I'm not sure I understand what you mean... I'm not using inetd, and
the default configuration doesn't block sendmail from all remote
hosts. The ssh server is running all by itself, same as sendmail. The
way I understand it is that as long as the server was compiled with
tcp wrappers, it should follow the rules in hosts.allow.
- Max
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

On May 22, 2007, at 10:46, Maxim Khitrov wrote:
On 5/22/07, doug [EMAIL PROTECTED] wrote:
On Tue, 22 May 2007, Maxim Khitrov wrote:
On 5/22/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
I suspect sendmail is reading /etc/hosts.allow
# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a First match wins basis.
#ALL : ALL : allow
Did you comment out the above line?
Steve
Here's the entire file as it is right now:
# Deny sendmail to all clients (temporary)
sendmail : all : deny
# Allow anything from localhost
all : local ip : allow
# Process SSH deny rules
sshd : /etc/hosts.evil : deny
# Allow everything else
all : all : allow
Once I can get sendmail to block all connection requests, I'll
move it
below the second rule. That way, only local processes will be
able to
use it. For now, however, that rule is being ignored completely.
The default configuration gives you what you want so I assume your
goal is to
see if you can make hosts.allow work within a jail. In general
there are
performance reasons not to use inetd to control ssh and sendmail.
ssh under
inetd causes more key generation. Sendmail has its own controls
which give you
the equivalent (or better) than can be done with inetd.
I assume from an earlier post you are trying to make this work
inside a jail. If
thats true you must also have in the jail rc.conf
inetd_flags=-wW -a your-ip-address
I assume you have this or you would not have been able to control
ssh. All that
said, I have only used inetd to control ftp/imap/pop3. It seems to
me your
specific question is: does this work inside a jail and is any
special setup
required to make it work with sendmail. Sorry I can not help more.
Doug
I'm not sure I understand what you mean... I'm not using inetd, and
the default configuration doesn't block sendmail from all remote
hosts. The ssh server is running all by itself, same as sendmail. The
way I understand it is that as long as the server was compiled with
tcp wrappers, it should follow the rules in hosts.allow.
tcp wrappers must be coded into the application. The call which
actually checks the access permissions in the hosts.allow file is
hosts_access() (see man hosts_access). Checking through the sendmail
source for version 8.13.8, there are no calls to hosts_access in the
source code. You will need to patch sendmail to make it do what you
want. There might be patches at www.sendmail.org for that, but I
doubt it. openssh's sshd.c is probably a good template to use.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Doug Hardie wrote:
On May 22, 2007, at 10:46, Maxim Khitrov wrote:
# Deny sendmail to all clients (temporary)
sendmail : all : deny
tcp wrappers must be coded into the application. The call which
actually checks the access permissions in the hosts.allow file is
hosts_access() (see man hosts_access). Checking through the sendmail
I have to disagree with that. I run unmodified 8.13.8 on 6.2, and it DOES
respect hosts.allow. Just not in the way you might assume.
I can telnet to port 25, it allows connections from *anywhere*, and will respond to a HELO. It's not until I
give it a mail to: that it protests with 550 5.0.0 Access denied. I use
FEATURE(delay_checks) in the cf file, which may have some effect on this.
The log file shows:
May 22 14:56:47 cartman sm-mta[74026]: l4MIullh074026: tcpwrappers (unknown,
192.31.130.140) rejection
The actual options version look like:
$ sendmail -bp -d0.1
Version 8.13.8
Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SCANF
STARTTLS TCPWRAPPERS USERDB XDEBUG
$ uname -rms
FreeBSD 6.2-RELEASE i386
-RW
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Maxim Khitrov wrote:
I'm not sure I understand what you mean... I'm not using inetd, and
the default configuration doesn't block sendmail from all remote
hosts. The ssh server is running all by itself, same as sendmail. The
way I understand it is that as long as the server was compiled with
tcp wrappers, it should follow the rules in hosts.allow.
Sendmail is different from other network apps in that it does not block
the connection when a deny rule is in effect, instead it send some kind
of reject code (5xx) during the SMTP conversation.
If you check /var/log/maillog you may well see this happening.
If you search the mail archives (or try google) with some appropriate
keywords then you should find a post from Matthew Seaman which explains
it in detail You could also search the source code, if you are somewhat
C literate.
If you want to completely block connections from specific hosts (or only
allow specific hosts) then I would suggest doing that with firewall rules.
Didn't follow the start of the thread very closely so I hope I got the
right end of the stick.
--Alex
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

On 5/22/07, Rob [EMAIL PROTECTED] wrote:
Doug Hardie wrote:
On May 22, 2007, at 10:46, Maxim Khitrov wrote:
# Deny sendmail to all clients (temporary)
sendmail : all : deny
tcp wrappers must be coded into the application. The call which
actually checks the access permissions in the hosts.allow file is
hosts_access() (see man hosts_access). Checking through the sendmail
I have to disagree with that. I run unmodified 8.13.8 on 6.2, and it DOES
respect hosts.allow. Just not in the way you might assume.
I can telnet to port 25, it allows connections from *anywhere*, and will respond to a HELO. It's not until I
give it a mail to: that it protests with 550 5.0.0 Access denied. I use
FEATURE(delay_checks) in the cf file, which may have some effect on this.
The log file shows:
May 22 14:56:47 cartman sm-mta[74026]: l4MIullh074026: tcpwrappers (unknown,
192.31.130.140) rejection
The actual options version look like:
$ sendmail -bp -d0.1
Version 8.13.8
Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SCANF
STARTTLS TCPWRAPPERS USERDB XDEBUG
$ uname -rms
FreeBSD 6.2-RELEASE i386
-RW
You know, I could have sworn that I checked actually sending the
message through telnet yesterday with the deny rule in place. You're
right through, it fails right after I give it mail from command. Guess
I didn't keep good track of what I was checking each time. Do you know
if there is a reason they chose to do it this way? Accept the
connection, but don't allow the client to do anything with it? I
didn't find FEATURE(delay_checks) in any of my cf files, so I think
it's something else. Well at any rate, thanks for your help.
- Max
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

On May 22, 2007, at 1:21 PM, Maxim Khitrov wrote:
Do you know if there is a reason they chose to do it this way?
Accept the
connection, but don't allow the client to do anything with it?
There is some advantage to getting enough info from attempted spam to
produce useful logging messages, even if you want your mail system to
eventually return a 5xx permanent failure.
Some people also find that accepting and tying up spammer connections
can help reduce the rate that spam gets pumped out, although for that
to be really effective, it helps to have a teergrube (German for
tarpit) in your MX list which is specially designed to very slowly
accept traffic from potential spammers without tying down a lot of
your own bandwidth.
--
-Chuck
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

On Tue, 22 May 2007 11:37:24 -0400 Maxim Khitrov [EMAIL PROTECTED]
wrote:
On 5/22/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
I suspect sendmail is reading /etc/hosts.allow
Why would anyone expect that? /etc/hosts.allow is one of the control
files for the TCP wrapper program, tcpd. (See man tcpd.)
# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a First match wins basis.
#ALL : ALL : allow
Did you comment out the above line?
Steve
Here's the entire file as it is right now:
# Deny sendmail to all clients (temporary)
sendmail : all : deny
# Allow anything from localhost
all : local ip : allow
# Process SSH deny rules
sshd : /etc/hosts.evil : deny
# Allow everything else
all : all : allow
Once I can get sendmail to block all connection requests, I'll move it
below the second rule. That way, only local processes will be able to
use it. For now, however, that rule is being ignored completely.
Okay. First off, as noted above, /etc/hosts.{allow,deny} are not
sendmail(8) control files. They are tcpd(8) control files.
Secondly, tcpd is normally interposed between inetd(8), which has
essentially no built-in means of deciding whether to accept or reject
TCP connections based upon the source address of the connection request.
Instead of listing a particular program in /etc/inetd.conf as the program
to run to service an incoming connection on a particular port, one lists
the tcpd program and provides *it* the path of the desired service program.
tcpd then looks at /etc/hosts.{allow,deny} to determine whether to close
the connection or to pass it along to the service program.
Third, it is possible to run sendmail in non-daemon mode. If one
does not wish to tie up kernel resources to keep a sendmail process in the
system all the time, for example, one can list sendmail in /etc/inetd.conf
for the SMTP port (25), so that an inbound connection will result in inetd(8)
forking off a sendmail process to handle it. (See man sendmail, and try
/usr/sbin/sendmail -bm IIRC.) It is in this setup *only* that the
/etc/hosts.{allow,deny} files should have any effect whatsoever upon whether
incoming connections are handled by sendmail. N.B. even in this case, it
is tcpd reading those files and making the decisions, *not* sendmail.
Scott Bennett, Comm. ASMELG, CFIAG
**
* Internet: bennett at cs.niu.edu *
**
* A well regulated and disciplined militia, is at all times a good *
* objection to the introduction of that bane of all free governments *
* -- a standing army. *
*-- Gov. John Hancock, New York Journal, 28 January 1790 *
**
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

On 5/21/07, Mikhail Goriachev [EMAIL PROTECTED] wrote:
Maxim Khitrov wrote:
Hello,
I'm trying to restrict access to sendmail via hosts.allow. Don't need
a firewall, since I just want to block everyone but the localhost from
sending e-mail out. Anyway, it seems that sendmail ignores these
settings even though it was compiled with TCPWRAPPERS. I added
sendmail : all : deny as the very first line in hosts.allow, just to
see if it will let me connect from anywhere. It does - not just from
localhost, but from all remote locations as well. I have no problems
connecting and sending e-mail. Am I missing something?
I followed your earlier thread (hopefully this is a related topic). This
is strange. By default, sendmail is disabled. You don't even have to put
anything into rc.conf:
# grep sendmail /etc/defaults/rc.conf
Sendmail listens and accepts local mail only. You can't connect to it
from another machine:
# telnet some.host.tld 25
Trying 1.2.3.4...
telnet: connect to address 1.2.3.4: Connection refused
telnet: Unable to connect to remote host
You must've tweaked something to make it behave differently.
I tested the same setup with sshd, and that works properly. After a
quick search on google it seems that I'm not the only one with this
problem, but I couldn't find any solution to this. Any help is greatly
appreciated.
Share with us your testing methodology. From previous thread, I
understand that you just want something to submit your local mail (from
daemons, scripts, etc). Then as others already said, a simple alias in
/etc/mail/aliases and executing newaliases is sufficient.
Ok, so here's my current setup. I have sendmail_enable=NO in rc.conf
(same as not having it there I guess), I've modified /etc/mail/aliases
to forward everything sent to root to my gmail account, and I added
sendmail : all : deny as the first line to /etc/hosts.allow while
I'm testing everything. Once I make sure that the deny rule works,
I'll allow access to sendmail only from localhost. This is all on
FreeBSD 6.2, but it's running in a jail, so that might have some
effect.
From my previous thread, sendmail is used only to accept messages sent
by processes running on the server, and send them to real e-mails
specified in /etc/aliases. That part works. However, even though
sendmail_enable is set to NO in rc.conf, sendmail still listens on
port 25, accepts mail from remote hosts, and the hosts.allow rule
doesn't seem to apply. Strange, isn't it? By the way, I just tried
removing sendmail_enable line from rc.conf completely and that had no
effect.
All I do for testing is basically start/restart sendmail, then telnet
to the server from my workstation at home. I get a standard reply, and
can then do the usual HELO, MAIL FROM, RCPT TO, DATA, and so on.
Relaying doesn't work, but sending to and all other aliases works fine
(which in this case is bad).
Think this might be some bug when sendmail is running in a jail? I
haven't modified anything beyond what's mentioned in this e-mail, and
I've checked all the settings. I can definitely connect to the server
from remote hosts despite the rc.conf and hosts.allow configuration.
- Maxim Khitrov
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Maxim Khitrov wrote:
Hello,
I'm trying to restrict access to sendmail via hosts.allow. Don't need
a firewall, since I just want to block everyone but the localhost from
sending e-mail out. Anyway, it seems that sendmail ignores these
settings even though it was compiled with TCPWRAPPERS. I added
sendmail : all : deny as the very first line in hosts.allow, just to
see if it will let me connect from anywhere. It does - not just from
localhost, but from all remote locations as well. I have no problems
connecting and sending e-mail. Am I missing something?
I followed your earlier thread (hopefully this is a related topic). This
is strange. By default, sendmail is disabled. You don't even have to put
anything into rc.conf:
# grep sendmail /etc/defaults/rc.conf
Sendmail listens and accepts local mail only. You can't connect to it
from another machine:
# telnet some.host.tld 25
Trying 1.2.3.4...
telnet: connect to address 1.2.3.4: Connection refused
telnet: Unable to connect to remote host
You must've tweaked something to make it behave differently.
I tested the same setup with sshd, and that works properly. After a
quick search on google it seems that I'm not the only one with this
problem, but I couldn't find any solution to this. Any help is greatly
appreciated.
Share with us your testing methodology. From previous thread, I
understand that you just want something to submit your local mail (from
daemons, scripts, etc). Then as others already said, a simple alias in
/etc/mail/aliases and executing newaliases is sufficient.
Regards,
Mikhail.
--
Mikhail Goriachev
Webanoide
Telephone: +61 (0)3 62252501
Mobile Phone: +61 (0)4 38255158
E-Mail: [EMAIL PROTECTED]
Web: www.webanoide.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

On Mon, 21 May 2007, Maxim Khitrov wrote:
On 5/21/07, Mikhail Goriachev [EMAIL PROTECTED] wrote:
Maxim Khitrov wrote:
Hello,
I'm trying to restrict access to sendmail via hosts.allow. Don't need
a firewall, since I just want to block everyone but the localhost from
sending e-mail out. Anyway, it seems that sendmail ignores these
settings even though it was compiled with TCPWRAPPERS. I added
sendmail : all : deny as the very first line in hosts.allow, just to
see if it will let me connect from anywhere. It does - not just from
localhost, but from all remote locations as well. I have no problems
connecting and sending e-mail. Am I missing something?
I followed your earlier thread (hopefully this is a related topic). This
is strange. By default, sendmail is disabled. You don't even have to put
anything into rc.conf:
# grep sendmail /etc/defaults/rc.conf
Sendmail listens and accepts local mail only. You can't connect to it
from another machine:
# telnet some.host.tld 25
Trying 1.2.3.4...
telnet: connect to address 1.2.3.4: Connection refused
telnet: Unable to connect to remote host
You must've tweaked something to make it behave differently.
I tested the same setup with sshd, and that works properly. After a
quick search on google it seems that I'm not the only one with this
problem, but I couldn't find any solution to this. Any help is greatly
appreciated.
Share with us your testing methodology. From previous thread, I
understand that you just want something to submit your local mail (from
daemons, scripts, etc). Then as others already said, a simple alias in
/etc/mail/aliases and executing newaliases is sufficient.
Ok, so here's my current setup. I have sendmail_enable=NO in rc.conf
(same as not having it there I guess), I've modified /etc/mail/aliases
to forward everything sent to root to my gmail account, and I added
sendmail : all : deny as the first line to /etc/hosts.allow while
I'm testing everything. Once I make sure that the deny rule works,
I'll allow access to sendmail only from localhost. This is all on
FreeBSD 6.2, but it's running in a jail, so that might have some
effect.
sendmail_enable=NO means there is no sendmail daemon running. You can verify
this via ps -aux | grep sendmail. Remove that statement. Without a reboot you
can start sendmail by cd /etc/mail; make start.
Unless you have changed the freebsd.mc file and done a 'make install' I do not
believe sendmail will accept from any connections except except on 127.0.0.1
(localhost). This is what you want I think. If that's it as others have said,
there is no reason to use the hosts.allow mechanism. This is independent of the
jail environment.
sockstat|grep sendmail
and you can see whats going on.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

On 5/21/07, doug [EMAIL PROTECTED] wrote:
sendmail_enable=NO means there is no sendmail daemon running. You can verify
this via ps -aux | grep sendmail. Remove that statement. Without a reboot you
can start sendmail by cd /etc/mail; make start.
Unless you have changed the freebsd.mc file and done a 'make install' I do not
believe sendmail will accept from any connections except except on 127.0.0.1
(localhost). This is what you want I think. If that's it as others have said,
there is no reason to use the hosts.allow mechanism. This is independent of the
jail environment.
sockstat|grep sendmail
and you can see whats going on.
Not the case for me, having sendmail_enable=NO and not having it in
rc.conf results in the same behavior. Here's sendmail rcvar output:
Without sendmail_enable in rc.conf:
# sendmail
$sendmail_enable=NO
# sendmail_submit
$sendmail_submit_enable=YES
# sendmail_clientmqueue
$sendmail_msp_queue_enable=YES
With sendmail_enable=NO:
# sendmail
$sendmail_enable=NO
# sendmail_submit
$sendmail_submit_enable=YES
# sendmail_clientmqueue
$sendmail_msp_queue_enable=YES
With sendmail_enable=NONE:
# sendmail
$sendmail_enable=NO
# sendmail_clientmqueue
$sendmail_msp_queue_enable=NO
So the first two are identical (I don't see why they wouldn't be). As
for the sendmail daemon, here's what grep tells me after the server is
started:
[EMAIL PROTECTED] [/]# ps -aux | grep sendmail
smmsp 16473 0.0 0.1 3384 2276 ?? IsJ 4:47PM 0:00.00
sendmail: Queue [EMAIL PROTECTED]:30:00 for /var/spool/clientmqueue (sendmail
root 20951 0.0 0.1 3484 2480 ?? SsJ 5:37PM 0:00.00
sendmail: accepting connections (sendmail)
root 21303 0.0 0.0 1592 912 pn S+J 5:37PM 0:00.00 grep sendmail
And here's sockstat output:
[EMAIL PROTECTED] [/]# sockstat -l4
USER COMMANDPID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sendmail 20951 4 tcp4 ip:25 *:*
root syslogd45182 6 udp4 ip:514 *:*
root sshd 60371 3 tcp4 ip:22 *:*
As you can see, sendmail is happily listening for all incoming
connections with the NO setting. If it would only listen on
localhost, then that would be the end of my problems. However,
remember that the jail environment doesn't have localhost. In other
words 127.0.0.1 does not refer to the jail. Loopback for me is the
server's wan ip (hey that rhymes :), which is why I think that not
having 127.0.0.1 may be confusing to sendmail.
- Max
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Maxim Khitrov wrote:
On 5/21/07, Mikhail Goriachev [EMAIL PROTECTED] wrote:
Maxim Khitrov wrote:
Hello,
I'm trying to restrict access to sendmail via hosts.allow. Don't need
a firewall, since I just want to block everyone but the localhost from
sending e-mail out. Anyway, it seems that sendmail ignores these
settings even though it was compiled with TCPWRAPPERS. I added
sendmail : all : deny as the very first line in hosts.allow, just to
see if it will let me connect from anywhere. It does - not just from
localhost, but from all remote locations as well. I have no problems
connecting and sending e-mail. Am I missing something?
I followed your earlier thread (hopefully this is a related topic). This
is strange. By default, sendmail is disabled. You don't even have to put
anything into rc.conf:
# grep sendmail /etc/defaults/rc.conf
Sendmail listens and accepts local mail only. You can't connect to it
from another machine:
# telnet some.host.tld 25
Trying 1.2.3.4...
telnet: connect to address 1.2.3.4: Connection refused
telnet: Unable to connect to remote host
You must've tweaked something to make it behave differently.
I tested the same setup with sshd, and that works properly. After a
quick search on google it seems that I'm not the only one with this
problem, but I couldn't find any solution to this. Any help is greatly
appreciated.
Share with us your testing methodology. From previous thread, I
understand that you just want something to submit your local mail (from
daemons, scripts, etc). Then as others already said, a simple alias in
/etc/mail/aliases and executing newaliases is sufficient.
Ok, so here's my current setup. I have sendmail_enable=NO in rc.conf
(same as not having it there I guess), I've modified /etc/mail/aliases
to forward everything sent to root to my gmail account, and I added
sendmail : all : deny as the first line to /etc/hosts.allow while
I'm testing everything. Once I make sure that the deny rule works,
I'll allow access to sendmail only from localhost. This is all on
FreeBSD 6.2, but it's running in a jail, so that might have some
effect.
From my previous thread, sendmail is used only to accept messages sent
by processes running on the server, and send them to real e-mails
specified in /etc/aliases. That part works. However, even though
sendmail_enable is set to NO in rc.conf, sendmail still listens on
port 25, accepts mail from remote hosts, and the hosts.allow rule
doesn't seem to apply. Strange, isn't it? By the way, I just tried
removing sendmail_enable line from rc.conf completely and that had no
effect.
All I do for testing is basically start/restart sendmail, then telnet
to the server from my workstation at home. I get a standard reply, and
can then do the usual HELO, MAIL FROM, RCPT TO, DATA, and so on.
Relaying doesn't work, but sending to and all other aliases works fine
(which in this case is bad).
Think this might be some bug when sendmail is running in a jail? I
haven't modified anything beyond what's mentioned in this e-mail, and
I've checked all the settings. I can definitely connect to the server
from remote hosts despite the rc.conf and hosts.allow configuration.
This is a different story now. On your host machine (as in jails' host),
sendmail binds to localhost and never responds to outside world. This is
expected. However, sendmail in a jail, binds to jail's IP address and
that is why you can talk to it from outside.
Run this on your host:
# sockstat -4l | grep sendmail
The output should look like this:
root sendmail 1624 4 tcp4 1.2.3.5:25*:*
root sendmail 1624 4 tcp4 1.2.3.4:25*:*
root sendmail 1624 4 tcp4 1.2.3.3:25*:*
root sendmail 1624 4 tcp4 1.2.3.2:25*:*
root sendmail 1208 3 tcp4 127.0.0.1:25 *:*
The first four are jails. The last one is host's sendmail being disabled.
I'd suggest using a firewall to protect your jails instead of trying to
completely disable sendmails.
Regards,
Mikhail.
--
Mikhail Goriachev
Webanoide
Telephone: +61 (0)3 62252501
Mobile Phone: +61 (0)4 38255158
E-Mail: [EMAIL PROTECTED]
Web: www.webanoide.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

doug wrote:
On Mon, 21 May 2007, Maxim Khitrov wrote:
On 5/21/07, Mikhail Goriachev [EMAIL PROTECTED] wrote:
Maxim Khitrov wrote:
Hello,
I'm trying to restrict access to sendmail via hosts.allow. Don't need
a firewall, since I just want to block everyone but the localhost from
sending e-mail out. Anyway, it seems that sendmail ignores these
settings even though it was compiled with TCPWRAPPERS. I added
sendmail : all : deny as the very first line in hosts.allow, just to
see if it will let me connect from anywhere. It does - not just from
localhost, but from all remote locations as well. I have no problems
connecting and sending e-mail. Am I missing something?
I followed your earlier thread (hopefully this is a related topic). This
is strange. By default, sendmail is disabled. You don't even have to put
anything into rc.conf:
# grep sendmail /etc/defaults/rc.conf
Sendmail listens and accepts local mail only. You can't connect to it
from another machine:
# telnet some.host.tld 25
Trying 1.2.3.4...
telnet: connect to address 1.2.3.4: Connection refused
telnet: Unable to connect to remote host
You must've tweaked something to make it behave differently.
I tested the same setup with sshd, and that works properly. After a
quick search on google it seems that I'm not the only one with this
problem, but I couldn't find any solution to this. Any help is greatly
appreciated.
Share with us your testing methodology. From previous thread, I
understand that you just want something to submit your local mail (from
daemons, scripts, etc). Then as others already said, a simple alias in
/etc/mail/aliases and executing newaliases is sufficient.
Ok, so here's my current setup. I have sendmail_enable=NO in rc.conf
(same as not having it there I guess), I've modified /etc/mail/aliases
to forward everything sent to root to my gmail account, and I added
sendmail : all : deny as the first line to /etc/hosts.allow while
I'm testing everything. Once I make sure that the deny rule works,
I'll allow access to sendmail only from localhost. This is all on
FreeBSD 6.2, but it's running in a jail, so that might have some
effect.
sendmail_enable=NO means there is no sendmail daemon running. You can
verify
this via ps -aux | grep sendmail. Remove that statement. Without a reboot
you
can start sendmail by cd /etc/mail; make start.
sendmail_enable=NO tells sendmail to bind to localhost only (hence it
becomes unreachable from the outside):
# sockstat -4l | grep sendmail
root sendmail 42310 4 tcp4 127.0.0.1:25 *:*
sendmail_enable=YES starts/adds the submit capability:
# sockstat -4l | grep sendmail
root sendmail 42262 4 tcp4 *:25 *:*
root sendmail 42262 5 tcp4 *:587 *:*
In both cases, executing ps -aux shows sendmail daemon is running.
The first knob is the default as per /etc/defaults/rc.conf
Unless you have changed the freebsd.mc file and done a 'make install' I do
not
believe sendmail will accept from any connections except except on 127.0.0.1
(localhost). This is what you want I think. If that's it as others have said,
there is no reason to use the hosts.allow mechanism. This is independent of
the
jail environment.
sockstat|grep sendmail
and you can see whats going on.
--
Mikhail Goriachev
Webanoide
Telephone: +61 (0)3 62252501
Mobile Phone: +61 (0)4 38255158
E-Mail: [EMAIL PROTECTED]
Web: www.webanoide.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Maxim Khitrov wrote:
On 5/21/07, doug [EMAIL PROTECTED] wrote:
sendmail_enable=NO means there is no sendmail daemon running. You can
verify
this via ps -aux | grep sendmail. Remove that statement. Without a reboot
you
can start sendmail by cd /etc/mail; make start.
Unless you have changed the freebsd.mc file and done a 'make install' I do
not
believe sendmail will accept from any connections except except on 127.0.0.1
(localhost). This is what you want I think. If that's it as others have said,
there is no reason to use the hosts.allow mechanism. This is independent of
the
jail environment.
sockstat|grep sendmail
and you can see whats going on.
Not the case for me, having sendmail_enable=NO and not having it in
rc.conf results in the same behavior. Here's sendmail rcvar output:
Same behaviour because sendmail_enable=NO is already present in
/etc/defaults/rc.conf so putting in /etc/rc.conf or removing it from
there is the same thing.
Without sendmail_enable in rc.conf:
# sendmail
$sendmail_enable=NO
# sendmail_submit
$sendmail_submit_enable=YES
# sendmail_clientmqueue
$sendmail_msp_queue_enable=YES
With sendmail_enable=NO:
# sendmail
$sendmail_enable=NO
# sendmail_submit
$sendmail_submit_enable=YES
# sendmail_clientmqueue
$sendmail_msp_queue_enable=YES
With sendmail_enable=NONE:
# sendmail
$sendmail_enable=NO
# sendmail_clientmqueue
$sendmail_msp_queue_enable=NO
So the first two are identical (I don't see why they wouldn't be). As
for the sendmail daemon, here's what grep tells me after the server is
started:
[EMAIL PROTECTED] [/]# ps -aux | grep sendmail
smmsp 16473 0.0 0.1 3384 2276 ?? IsJ 4:47PM 0:00.00
sendmail: Queue [EMAIL PROTECTED]:30:00 for /var/spool/clientmqueue (sendmail
root 20951 0.0 0.1 3484 2480 ?? SsJ 5:37PM 0:00.00
sendmail: accepting connections (sendmail)
root 21303 0.0 0.0 1592 912 pn S+J 5:37PM 0:00.00 grep sendmail
And here's sockstat output:
[EMAIL PROTECTED] [/]# sockstat -l4
USER COMMANDPID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sendmail 20951 4 tcp4 ip:25 *:*
root syslogd45182 6 udp4 ip:514 *:*
root sshd 60371 3 tcp4 ip:22 *:*
As you can see, sendmail is happily listening for all incoming
connections with the NO setting. If it would only listen on
localhost, then that would be the end of my problems. However,
remember that the jail environment doesn't have localhost. In other
words 127.0.0.1 does not refer to the jail. Loopback for me is the
server's wan ip (hey that rhymes :), which is why I think that not
having 127.0.0.1 may be confusing to sendmail.
There you go. You just answered yourself.
--
Mikhail Goriachev
Webanoide
Telephone: +61 (0)3 62252501
Mobile Phone: +61 (0)4 38255158
E-Mail: [EMAIL PROTECTED]
Web: www.webanoide.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

On 5/21/07, Mikhail Goriachev [EMAIL PROTECTED] wrote:
Maxim Khitrov wrote:
On 5/21/07, Mikhail Goriachev [EMAIL PROTECTED] wrote:
Maxim Khitrov wrote:
Hello,
I'm trying to restrict access to sendmail via hosts.allow. Don't need
a firewall, since I just want to block everyone but the localhost from
sending e-mail out. Anyway, it seems that sendmail ignores these
settings even though it was compiled with TCPWRAPPERS. I added
sendmail : all : deny as the very first line in hosts.allow, just to
see if it will let me connect from anywhere. It does - not just from
localhost, but from all remote locations as well. I have no problems
connecting and sending e-mail. Am I missing something?
I followed your earlier thread (hopefully this is a related topic). This
is strange. By default, sendmail is disabled. You don't even have to put
anything into rc.conf:
# grep sendmail /etc/defaults/rc.conf
Sendmail listens and accepts local mail only. You can't connect to it
from another machine:
# telnet some.host.tld 25
Trying 1.2.3.4...
telnet: connect to address 1.2.3.4: Connection refused
telnet: Unable to connect to remote host
You must've tweaked something to make it behave differently.
I tested the same setup with sshd, and that works properly. After a
quick search on google it seems that I'm not the only one with this
problem, but I couldn't find any solution to this. Any help is greatly
appreciated.
Share with us your testing methodology. From previous thread, I
understand that you just want something to submit your local mail (from
daemons, scripts, etc). Then as others already said, a simple alias in
/etc/mail/aliases and executing newaliases is sufficient.
Ok, so here's my current setup. I have sendmail_enable=NO in rc.conf
(same as not having it there I guess), I've modified /etc/mail/aliases
to forward everything sent to root to my gmail account, and I added
sendmail : all : deny as the first line to /etc/hosts.allow while
I'm testing everything. Once I make sure that the deny rule works,
I'll allow access to sendmail only from localhost. This is all on
FreeBSD 6.2, but it's running in a jail, so that might have some
effect.
From my previous thread, sendmail is used only to accept messages sent
by processes running on the server, and send them to real e-mails
specified in /etc/aliases. That part works. However, even though
sendmail_enable is set to NO in rc.conf, sendmail still listens on
port 25, accepts mail from remote hosts, and the hosts.allow rule
doesn't seem to apply. Strange, isn't it? By the way, I just tried
removing sendmail_enable line from rc.conf completely and that had no
effect.
All I do for testing is basically start/restart sendmail, then telnet
to the server from my workstation at home. I get a standard reply, and
can then do the usual HELO, MAIL FROM, RCPT TO, DATA, and so on.
Relaying doesn't work, but sending to and all other aliases works fine
(which in this case is bad).
Think this might be some bug when sendmail is running in a jail? I
haven't modified anything beyond what's mentioned in this e-mail, and
I've checked all the settings. I can definitely connect to the server
from remote hosts despite the rc.conf and hosts.allow configuration.
This is a different story now. On your host machine (as in jails' host),
sendmail binds to localhost and never responds to outside world. This is
expected. However, sendmail in a jail, binds to jail's IP address and
that is why you can talk to it from outside.
Run this on your host:
# sockstat -4l | grep sendmail
The output should look like this:
root sendmail 1624 4 tcp4 1.2.3.5:25*:*
root sendmail 1624 4 tcp4 1.2.3.4:25*:*
root sendmail 1624 4 tcp4 1.2.3.3:25*:*
root sendmail 1624 4 tcp4 1.2.3.2:25*:*
root sendmail 1208 3 tcp4 127.0.0.1:25 *:*
The first four are jails. The last one is host's sendmail being disabled.
I'd suggest using a firewall to protect your jails instead of trying to
completely disable sendmails.
I cna't run that on my host, because I only have access to the jail
(I'm paying for a vps server with another host). That makes sense
however, I had a feeling that it was jail-related. But what about the
hosts.allow problem? I can run a firewall, of course, but hosts.allow
seems like a more efficient way of doing the same thing. I've already
got it configured and working with sshd, so I see no reason why
sendmail doesn't want to work the same way.
- Max
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Maxim Khitrov wrote:
On 5/21/07, Mikhail Goriachev [EMAIL PROTECTED] wrote:
Maxim Khitrov wrote:
On 5/21/07, Mikhail Goriachev [EMAIL PROTECTED] wrote:
Maxim Khitrov wrote:
Hello,
I'm trying to restrict access to sendmail via hosts.allow. Don't need
a firewall, since I just want to block everyone but the localhost from
sending e-mail out. Anyway, it seems that sendmail ignores these
settings even though it was compiled with TCPWRAPPERS. I added
sendmail : all : deny as the very first line in hosts.allow, just to
see if it will let me connect from anywhere. It does - not just from
localhost, but from all remote locations as well. I have no problems
connecting and sending e-mail. Am I missing something?
I followed your earlier thread (hopefully this is a related topic). This
is strange. By default, sendmail is disabled. You don't even have to put
anything into rc.conf:
# grep sendmail /etc/defaults/rc.conf
Sendmail listens and accepts local mail only. You can't connect to it
from another machine:
# telnet some.host.tld 25
Trying 1.2.3.4...
telnet: connect to address 1.2.3.4: Connection refused
telnet: Unable to connect to remote host
You must've tweaked something to make it behave differently.
I tested the same setup with sshd, and that works properly. After a
quick search on google it seems that I'm not the only one with this
problem, but I couldn't find any solution to this. Any help is greatly
appreciated.
Share with us your testing methodology. From previous thread, I
understand that you just want something to submit your local mail (from
daemons, scripts, etc). Then as others already said, a simple alias in
/etc/mail/aliases and executing newaliases is sufficient.
Ok, so here's my current setup. I have sendmail_enable=NO in rc.conf
(same as not having it there I guess), I've modified /etc/mail/aliases
to forward everything sent to root to my gmail account, and I added
sendmail : all : deny as the first line to /etc/hosts.allow while
I'm testing everything. Once I make sure that the deny rule works,
I'll allow access to sendmail only from localhost. This is all on
FreeBSD 6.2, but it's running in a jail, so that might have some
effect.
From my previous thread, sendmail is used only to accept messages sent
by processes running on the server, and send them to real e-mails
specified in /etc/aliases. That part works. However, even though
sendmail_enable is set to NO in rc.conf, sendmail still listens on
port 25, accepts mail from remote hosts, and the hosts.allow rule
doesn't seem to apply. Strange, isn't it? By the way, I just tried
removing sendmail_enable line from rc.conf completely and that had no
effect.
All I do for testing is basically start/restart sendmail, then telnet
to the server from my workstation at home. I get a standard reply, and
can then do the usual HELO, MAIL FROM, RCPT TO, DATA, and so on.
Relaying doesn't work, but sending to and all other aliases works fine
(which in this case is bad).
Think this might be some bug when sendmail is running in a jail? I
haven't modified anything beyond what's mentioned in this e-mail, and
I've checked all the settings. I can definitely connect to the server
from remote hosts despite the rc.conf and hosts.allow configuration.
This is a different story now. On your host machine (as in jails' host),
sendmail binds to localhost and never responds to outside world. This is
expected. However, sendmail in a jail, binds to jail's IP address and
that is why you can talk to it from outside.
Run this on your host:
# sockstat -4l | grep sendmail
The output should look like this:
root sendmail 1624 4 tcp4 1.2.3.5:25*:*
root sendmail 1624 4 tcp4 1.2.3.4:25*:*
root sendmail 1624 4 tcp4 1.2.3.3:25*:*
root sendmail 1624 4 tcp4 1.2.3.2:25*:*
root sendmail 1208 3 tcp4 127.0.0.1:25 *:*
The first four are jails. The last one is host's sendmail being disabled.
I'd suggest using a firewall to protect your jails instead of trying to
completely disable sendmails.
I cna't run that on my host, because I only have access to the jail
(I'm paying for a vps server with another host). That makes sense
however, I had a feeling that it was jail-related. But what about the
hosts.allow problem? I can run a firewall, of course, but hosts.allow
seems like a more efficient way of doing the same thing. I've already
got it configured and working with sshd, so I see no reason why
sendmail doesn't want to work the same way.
Oh... right. Can't tell you much about hosts.allow, especially in jails,
but I reckon someone else will.
Good luck!
Regards,
Mikhail.
--
Mikhail Goriachev
Webanoide
Telephone: +61 (0)3 62252501
Mobile Phone: +61 (0)4 38255158
E-Mail: [EMAIL PROTECTED]
Web: www.webanoide.org
___
freebsd-questions@freebsd.org mailing list

Can anyone confirm this behavior on their machine? Doing an
ldd /usr/libexec/sendmail/sendmail shows:
/usr/libexec/sendmail/sendmail:
libutil.so.3 = /usr/lib/libutil.so.3 (0x280fd000)
libwrap.so.3 = /usr/lib/libwrap.so.3 (0x28106000)
libssl.so.3 = /usr/lib/libssl.so.3 (0x2810e000)
libcrypto.so.3 = /usr/lib/libcrypto.so.3 (0x2813e000)
libc.so.4 = /usr/lib/libc.so.4 (0x2823e000)
so it's clearly linked with libwrap. What's going on here??
According to Rich Winkel:
According to Ruben de Groot:
On Sun, Aug 29, 2004 at 11:53:55PM -0500, Rich Winkel typed:
I'm running 4.10-release-p2. Sendmail is ignoring hosts.allow.
Is this a known problem?
AFAIK, no. Could you post your hosts.allow? Are you using sendmail from
the base system?
Hi, sorry I was burnt out from lack of sleep and beating my head
against the wall :) I'm using the base system sendmail.
I just put (as an example):
sendmail : 127.0.0.1 : deny
as the first line of /etc/hosts.allow,
kill and restart sendmail (just in case) and do a
telnet localhost 25
and it still connects:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 crusty.math.missouri.edu ESMTP Sendmail 8.12.11/8.12.11; Mon, 30 Aug 2004
09:35:29 -0500 (CDT)
quit
221 2.0.0 crusty.math.missouri.edu closing connection
Do I need anything special in sendmail.cf? I don't think I used to ...
Can anyone confirm this on their system?
Thanks!!!
Rich
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]